TAXII 2.1 and direct IOC access for production SOC workflows
TAXII 2.1 is a standard way to publish threat-intelligence collections so SIEMs and TIPs can ingest indicators without custom scrapers or brittle one-off JSON parsers. BlackDome exposes both TAXII 2.1 collections and a direct IOC query endpoint behind the same Bearer-token authentication model.
Send Authorization: Bearer bd_... on every request.
Use TAXII for SIEM ingestion or the direct IOC endpoint for automation and local tooling.
Indicators sourced from the BlackDome honeypot mesh and ThreatDrop detections.
Use your API key as a Bearer token
The Threat Intel Feed uses the same Bearer-key pattern across TAXII and direct endpoint access.
Request header
Add the same header for both TAXII requests and direct IOC queries.
Authorization: Bearer bd_your_keyCore Threat Intel endpoints
Use TAXII for standards-based collection sync, or the direct IOC endpoint for scripts, enrichment workers, and custom pipelines.
GET /taxii2/collections/
List available TAXII collections and discover the collection IDs your SIEM can poll.
curl -H "Authorization: Bearer bd_your_key" \
"https://blackdome.ai/taxii2/collections/"GET /taxii2/collections/{id}/objects/
Fetch STIX objects added after a specific date from the Threat Intel collection.
curl -H "Authorization: Bearer bd_your_key" \
"https://blackdome.ai/taxii2/collections/blackdome-iocs/objects/?added_after=2026-03-01"GET /api/blackdome/iocs
Direct IOC query endpoint for JSON clients, scripts, and enrichment jobs.
curl -H "Authorization: Bearer bd_your_key" \
"https://blackdome.ai/api/blackdome/iocs?type=indicator&limit=50"SIEM integration notes
You only need the feed URL and your Bearer token. The dashboard gives you the same values in copy-ready format.
Splunk
Use the TAXII collection URL as the feed endpoint and add your Bearer token in the authorization header for your threat-intel input.
Microsoft Sentinel
Point your TAXII connector or custom ingestion job at the BlackDome collection URL and supply the Bearer token for authentication.
Elastic
Use the TAXII collection URL for feed polling, or the direct IOC JSON endpoint if you prefer custom pipeline transforms.
Per-tier limits
Community access is intentionally conservative. Pro and Enterprise unlock higher request volume and faster delivery.
| Tier | Limits |
|---|---|
| Community | 100 IOCs/day, 30 rpm, 72-hour delay |
| Pro | 5,000 requests/day, 300 rpm, real-time API access |
| Enterprise | 50,000 requests/day, 1,000 rpm, TAXII 2.1 real-time feed |
Example direct IOC response
Direct IOC queries return tenant-scoped indicators with confidence, ATT&CK context, sighting counts, and metadata.
JSON example
Real fields returned by GET /api/blackdome/iocs.
{
"total": 2,
"iocs": [
{
"id": "3dfdf2f7-f637-4b7b-bb42-983b4f8b94fe",
"ioc_type": "ip",
"ioc_value": "91.92.242.79",
"confidence": 91,
"effective_confidence": 96,
"severity": "high",
"verdict": "malicious",
"mitre_tactics": [
"credential-access"
],
"mitre_techniques": [
"T1110"
],
"source_type": "honeypot",
"tags": [
"bruteforce",
"ssh",
"credential-theft"
],
"sighting_count": 43,
"first_seen": "2026-03-18T04:21:00+00:00",
"last_seen": "2026-03-20T02:48:00+00:00",
"metadata": {
"country": "RU",
"asn": "AS12389"
}
},
{
"id": "bece3aaf-8be2-4625-810f-efb07a17f4a0",
"ioc_type": "domain",
"ioc_value": "secure-payments-login.example",
"confidence": 82,
"effective_confidence": 82,
"severity": "medium",
"verdict": "phishing",
"mitre_tactics": [
"credential-access"
],
"mitre_techniques": [
"T1566"
],
"source_type": "threatdrop",
"tags": [
"brand-abuse",
"phishing-kit"
],
"sighting_count": 9,
"first_seen": "2026-03-19T11:14:00+00:00",
"last_seen": "2026-03-20T01:08:00+00:00",
"metadata": {
"redirect_chain_length": 2
}
}
],
"limit": 50,
"offset": 0
}